ECCouncil Updated 312-50v13 Exam Questions and Answers by alvin

Port scanning is the CEH-aligned technique used to identify available access points into systems, where “access points” refers to open TCP and UDP ports and the services listening on them. In the reconnaissance and scanning phases described in CEH methodology, testers first enumerate live hosts and then perform port scanning to discover which network services are reachable, such as HTTP on 80 or 443, SSH on 22, RDP on 3389, DNS on 53, and many others. This information directly guides the next steps of analysis by revealing the attack surface: what services are exposed, which systems are running them, and which ports may permit remote interaction.

Vulnerability scanning is different because it attempts to identify known weaknesses or misconfigurations and typically requires service detection, versioning, and signature or configuration checks. It is usually performed after ports and services are discovered, not as the first method for finding “available access points.” Topology mapping focuses on understanding how the network is structured, including routing paths, device relationships, and segmentation boundaries. Network scanning is a broader term that can include host discovery and other probes, but it is less precise than port scanning for identifying the specific entry points that an attacker could use to connect.

Under ethical guidelines, port scanning is conducted with proper authorization, scoped targets, controlled timing to avoid disruption, and clear reporting of open ports, detected services, and risk implications so defenders can reduce exposure by closing unnecessary ports and hardening required services.

CEH v13 teaches that NetBIOS enumeration is a key technique for gathering information in Windows environments without raising alarms. Ports 137 and 139 indicate that NetBIOS Name Service (NBNS) and SMB services are active. The tool nbtstat -A retrieves valuable information including computer names, logged-in users, domain/workgroup membership, and system roles—all passively and without authentication. CEH emphasizes that querying NetBIOS is often overlooked by defenders and generates minimal noise, making it ideal for stealth enumeration. LDAP enumeration (Option A) requires directory access and tends to trigger logs. Psloggedon and pspasswd (Options B and D) involve active interaction and authentication attempts, which are far more detectable. nbtstat is the CEH-recommended tool for initial reconnaissance on Windows networks using NetBIOS and SMB, especially when quiet enumeration is required.

The defense described—keeping user inputs separate from the SQL statement and binding them as fixed values before execution—is the defining characteristic of parameterized queries (prepared statements). This is one of the most effective and widely recommended countermeasures against SQL injection because it prevents attacker input from being interpreted as SQL code.

In a vulnerable application, developers often build SQL statements by concatenating strings, such as "SELECT ... WHERE user='" + input + "'". In that pattern, malicious payloads can alter the query structure (adding conditions, UNIONs, comments, or stacked queries). With prepared statements, the SQL engine receives the query structure first (the template), and then receives the parameter values separately. The database treats the parameters strictly as data, not executable SQL. As a result, even if an attacker submits quotes, keywords, or operators, those characters remain part of the parameter value and cannot change the query’s logic.

The scenario specifically says inputs are “bound as fixed values,” which is direct language associated with parameter binding. That makes option D the best answer.

Why the other options are less accurate:

User input validation (A) is helpful but can be bypassed and is not as robust as parameterization; also the described mechanism is not validation but binding separation.

Restrict database access (B) is a defense-in-depth measure (least privilege) that reduces impact, but it does not inherently stop injection from occurring.

Encoding the single quote (C) is a legacy/insufficient approach; encoding or escaping can be error-prone and DBMS-specific, and it does not match the description of parameters being bound separately.

Therefore, the application is using D. Use parameterized queries or prepared statements.

Maria most likely used fileless malware, because the scenario explicitly describes malicious activity that does not write a payload executable to disk and instead executes entirely in memory using PowerShell and process injection. In CEH-aligned malware classifications, fileless malware is characterized by leveraging legitimate system tools (often called “living off the land” utilities) such as PowerShell, WMI, cmd.exe, or scripting engines to execute attacker-controlled code without creating traditional malware files on the filesystem. Since many legacy antivirus solutions depend heavily on signature-based scanning of files on disk, purely memory-resident execution can reduce or eliminate typical AV detections and leave minimal artifacts in standard AV logs.

The description also mentions that after a reboot the system returns to normal, which strongly supports fileless behavior: if the attacker did not establish persistence (for example via registry run keys, scheduled tasks, services, or WMI event subscriptions), then the in-memory code and injected instructions would be cleared when memory is reset. The “abnormal spikes in resource usage” are consistent with malicious scripts running inside a trusted process context, where attackers may inject or reflectively load code to blend into normal operating activity and evade straightforward monitoring.

Why the other options are incorrect: a rootkit primarily focuses on stealth through deep system-level hiding (often kernel/driver-level) and is commonly associated with persistent concealment rather than “no disk footprint” PowerShell-only execution. A trojan is typically a malicious program masquerading as legitimate software and usually involves a delivered executable or application. Ransomware is defined by encrypting data and extorting payment, which is not described here.

Thus, the technique most consistent with the test is fileless malware executed via PowerShell and memory-only injection.